6 matches found
CVE-2024-10044
CVE-2024-10044 describes a Server-Side Request Forgery (SSRF) in the lm-sys/fastchat Controller API Server, affecting the POST /worker_generate_stream endpoint. The vulnerability allows an attacker to misuse the controller API server’s credentials to perform unauthorized web actions or access res...
CVE-2024-10908
The CVE-2024-10908 entry describes an open redirect vulnerability in lm-sys/fastchat release 0.2.36. The issue allows remote, unauthenticated attackers to redirect users to arbitrary URLs, enabling phishing, malware distribution, and credential theft. Affected component: lm-sys/fastchat, version ...
CVE-2024-12376
The CVE-2024-12376 entry describes a Server-Side Request Forgery (SSRF) in the lm-sys/fastchat web server, specifically affecting the git 2c68a13 revision. The vulnerability allows an attacker to access internal server resources and data not normally reachable, including AWS metadata credentials....
CVE-2024-11603
Summary: CVE-2024-11603 is a Server-Side Request Forgery (SSRF) vulnerability in lm-sys/fastchat 0.2.36. The flaw resides in the /queue/join? endpoint where insufficient validation of the path parameter enables crafted requests that can reach internal networks or the AWS metadata endpoint. Multip...
CVE-2024-10907
CVE-2024-10907 affects lm-sys/fastchat Release v0.2.36. The server fails to handle excessive characters appended to the end of multipart boundaries, allowing an unauthenticated attacker to send malformed multipart requests. Each extra boundary character can be processed in an infinite loop, causi...
CVE-2024-10912
CVE-2024-10912 affects lm-sys/fastchat 0.2.36. The DoS arises from improper handling of multipart/form-data with a very large filename in the file upload path, per Red Hat/NVD/CVE records and related advisories. An attacker can exhaust server resources by sending a payload with an oversized filen...